Wednesday, July 25, 2012

Top Cyber Threats: Security Research Roundup

Recent reports from Panda Security, Trend Micro, Websense,
Verizon, Sophos, Symantec, Group-IB and Bit9 have shed light on the
current state of malware, phishing, and other attack methods.From the rise of Trojans and ransomware to the functionality of
Android malware, these reports provide an insight into the current state
of the ever-changing threat landscape.Key findings include the following: almost all malware infections
are now the result of installation or injection by a remote attacker,
smaller organizations are increasingly being hit with targeted attacks,
ransomware is expanding from a focus on Russia to target a wide range of
countries, and two thirds of security professionals expect their
organizations to be hit by a cyber attack within the next six months.
For details, and for many more findings, read on.

NEW MALWARE STRAINS IN Q1 2012, BY TYPE:

According to Panda Security's PandaLabs Q1 2012 Report
[PDF file], six million new malware samples were created in the first
quarter of 2012. During that time period, Trojans represented 80.77
percent of all new malware, up from 73 percent of all malware in 2011.
Worms comprised 9.3 percent of samples, up from 8 percent in 2011, while
viruses made up 6.43 percent of samples, down from 14.25 percent in
2011.

MALWARE INFECTIONS BY TYPE IN Q1 2012:

Panda Security's PandaLabs Q1 2012 Report
[PDF file] found that Trojans caused 66.3 percent of all infections,
followed by worms at 8.39 percent and viruses at 7.9 percent. The
researchers highlight the fact that worms only caused 8.39 percent of
infections despite accounting for 9.3 percent of all new malware, which
is notable because worms usually cause more infections thanks to their
ability to propagate automatically. "This demonstrates that massive worm
epidemics have become a thing of the past, and have been replaced by a
silent Trojan invasion," they write.

MOST MALWARE INFECTED COUNTRIES IN Q1 2012:

According to Panda Security’s PandaLabs Q1 2012 Report
[PDF file], 35.51 percent of PCs are infected in the average country.
China has the most infections, with 54.25 of PCs infected, followed by
Taiwan and Turkey. Nine of the 10 least infected countries are in Europe
– the only non-European country in the top 10 list is Japan. Sweden is
the least infected country, with a record-setting infection rate of less
than 20 percent of computers.

THE RISE OF RANSOMWARE:

Trend Micro's TrendLabs Q1 2012 Security Roundup Report
[PDF file] states that ransomware, which holds systems and/or files
hostage unless victims pay a fee, was previously concentrated in Russia
but now targets a wide range of other countries. "The growth of
ransomware outside of Russia may be attributed to the growing
difficulties associated with payment methods and fake anti-virus," Trend
Micro threat response engineer Roland Dela Paz wrote in a blog post.
"[Fake anti-virus] as a business is composed of an economic ecosystem
that involves ring leaders, developers, middle men (affiliate networks),
advertisers, etc. Because of these challenges, some criminal groups
involved with [fake anti-virus] may seek alternative underground
businesses such as the ransomware business, thereby making the
ransomware market expand and flourish."

MALWARE COMING FROM TRUSTED LOCATIONS:

According to the Websense 2012 Threat Report,
malware redirects, malware hosting, and phishing are increasingly
occurring in "trusted locations" such as the U.S. and Canada. "Almost no
organization is going to block U.S. domains (the Web experience for
users would be impacted too severely)," the authors write. "So it makes
sense for cybercriminals to leverage these 'trusted' Web locations."

MALWARE INFECTION VECTORS:

According to Verizon's 2012 Data Breach Investigations Report
[PDF file], the most common malware infection vector has long been
installation or injection by a remote attacker. While just over half of
attackers used this vector in 2009, fully 95 percent used it last year.
"Its popularity as an infection vector likely stems both from the
attacker's desire to remain in control after gaining access to a system,
and its use in high-volume automated attacks against remote access
services," the report states.

MALWARE FUNCTIONALITY:

According to Verizon's 2012 Data Breach Investigations Report
[PDF file], the three most common functions of malware are logging
keystrokes and other forms of user input, sending data to external
locations, and backdoors. "It is important to note that none of these
functionalities are mutually exclusive and it's common for a single
piece of malware to feature several components," the report states. Data
exfiltration proved far less common in Verizon's 2012 report than in
the previous year, dropping from 79 percent in the 2011 report to 43
percent in the 2012 report.

MALWARE ON MACS:

Sophos recently analyzed
a snapshot of 100,000 of the millions of Mac computers that run the
company's free anti-virus software and found that one in five machines
was carrying Windows malware, while one in 36 (2.7 percent) of Mac were
found to be carrying Mac OS X malware. While the latter case would
certainly be more troublesome for the user, Macs that are carrying
Windows malware can easily spread it to other computers. Some of the
malware that Sophos detected dates back to 2007, and would have been
easily detected by any anti-virus software. "Cybercriminals view Macs as
a soft target, because their owners don't typically run anti-virus
software and are thought to have a higher level of disposable income
than the typical Windows user," Sophos senior technology consultant
Graham Cluley said in a statement. "Mac users must protect their computers now or risk making the malware problem on Macs as big as the problem on PCs."

EMAIL-BORNE MALWARE WORLDWIDE:

According to the Symantec Intelligence Report
[PDF file] for February 2012, the global ratio of email-borne viruses
in e-mail traffic was one in 274 e-mails, or 0.37 percent in February,
up 0.3 percent since January. In February, the report states, 27.4
percent of email-borne malware contained links to malicious Web sites, a
decrease of 1.6 percent from January. Luxembourg had the highest rate
of malicious e-mail activity in February, with one in every 63.9 e-mails
identified as malicious – in the U.S., the rate was one in every 436.5
e-mails. The most targeted industry in February was the public sector,
with one in 71.2 e-mails blocked as malicious. Education was the second
most targeted vertical, with one in 124.1 e-mails containing malicious
content.

GLOBAL GROWTH OF PHISHING:

The Symantec Intelligence Report
[PDF file] for February 2012 states that the global phishing rate
increased in February by 0.01 percent, with one in 358.1 e-mails (0.28
percent) comprising some form of phishing attack. The Netherlands was
the country most targeted by phishing attacks in February, with one in
152.8 e-mails identified as phishing. In the U.S., the rate was one in
753.5. The industry most targeted by phishing attacks in February was
the public sector, with one in 84.1 e-mails comprising a phishing
attack. Small to medium sized businesses with 1-250 employees were the
most targeted, with one in 265.7 e-mails comprising a phishing attacks,
while large enterprises with more than 2,500 employees saw one in 361.9
e-mails containing a phishing attack.

SMALLER ORGANIZATIONS BEING TARGETED:

Symantec’s Internet Security Threat Report, Volume 17
[PDF file] notes that targeted attacks aren't just a source of concern
for larger companies – more than half of all targeted attacks in 2011
were directed at organizations with fewer than 2,500 employees, and
fully 17.8 percent were directed at organizations with fewer than 250
employees. The company notes that smaller organizations may be targeted
as a stepping stone because they're in the supply chain or partner
ecosystem of a larger, more well defended company. Similarly, while 42
percent of the targeted users are high-level executives, senior managers
and people in research and development, the majority of targets don't
themselves have access to confidential information – instead, they’re
targeted as a way of getting a foot in the door of a target company.

HACKING METHODS:

Verizon's 2012 Data Breach Investigations Report
[PDF file] breaks down the leading methods of hacking into two groups:
authentication attacks (stealing, brute forcing, or guessing of
credentials) and technical attacks that bypass or break authentication
altogether (e.g. SQL injection or backdoors). According to the report,
there are few clear distinctions between the methods used to target
small companies and those used to target larger ones. "Larger companies
do seem to be more adept at warding off the easier-to-prevent attacks;
however, approximately 98 percent of all records breached via stolen
credentials occurred in larger organizations," the report states.

MOBILE ATTACK FUNCTIONALITY:

According to Symantec's Internet Security Threat Report, Volume 17
[PDF file], three factors are required for a major increase in mobile
malware to occur: a widespread platform, readily accessible development
tools, and sufficient attacker motivation. The first of those factors
was recently fulfilled with Android's rapid growth in popularity.
Symantec reports that more than half of all Android threats collect
device data or track user activities, and almost a quarter of the mobile
threats identified in 2011 were designed to send content. A popular way
for mobile malware writers to make money is by sending premium SMS
messages from infected devices, a technique that was used by 18 percent
of all mobile threats identified in 2011. Still, mobile malware does
much more than just send SMS – several attacks have been identified that
track a victim's location via GPS and steal personal information from
the victim's device.

THE RUSSIAN CYBERCRIME MARKET:

Russian cybercrime investigation and computer forensics firm Group-IB recently released a report entitled State and Trends of the Russian Digital Crime Market 2011
[PDF file], which estimates the financial performance of the entire
global cybercrime market in 2011 at $12.5 billion, and the Russian share
of that market at $2.3 billion. Russian-speaking cybercriminals, both
in and outside of Russia itself, hold more than a third of the global
cybercrime market, with estimated earnings of $4.5 billion. Key areas of
growth, Group-IB reports, include online banking fraud and DDoS
attacks. "The number of DDoS attacks in 2011 has grown as compared to
previous periods," the report states. "The main targets were usually
online stores and other representatives of the online business sphere.
It should be noted, however, that the average strength of attacks in
2011, as compared to 2010, has weakened, with botnets typically
numbering no more than 10,000 nodes used for attacking."

FEAR OF A CYBER ATTACK:

According to the 2012 Bit9 Cyber Security Research Report,
a survey of 1,861 IT and security professionals worldwide found that
almost two thirds of those surveyed expect their companies to be
targeted by a cyber attack in the next six months. Those who work at
larger organizations with more than 500 employees are much more
concerned that those who work at smaller companies. And while most than
half of the respondents in every market segment anticipate an attack,
almost three quarters of government security professionals do so. The
majority of respondents blame those fears on an increase in the number
of hackers, rather than media hype or any perceived security weaknesses.